README
Purpose
Research on Tailscale’s SSH capabilities, network sharing options, and access control mechanisms for secure remote collaboration. This covers how to enable SSH access, configure ACL policies, and manage user invitations and device sharing.
Contents
- ssh-and-network-sharing.md - Comprehensive guide to Tailscale SSH, network invitations, device sharing, ACL configuration, and access control rules
- open-source-alternatives.md - Detailed comparison of open source Tailscale alternatives including Headscale, NetBird, Nebula, ZeroTier, Netmaker, and Innernet with feature matrices, decision guides, and migration paths
Key Findings
- Tailscale SSH provides secure SSH access without managing SSH keys, using WireGuard authentication and ACL policies for access control
- Device ownership is critical: Users cannot SSH into devices owned by other users unless those devices are tagged or explicitly shared
- Two invitation approaches: Full tailnet invitations (for multiple devices and team members) and device sharing (for limited, single-device access)
- ACL policies control access: SSH access is governed by rules that specify source devices/users, destination devices/tags, and which system users can be accessed
- User-owned devices are protected by default: This is a security feature preventing unauthorized access to personal machines unless explicitly shared or tagged
- Workarounds for accessing others’ machines: Device tagging, explicit device sharing, or using shared tagged servers are the recommended approaches
- Unused invitations expire after 30 days: Temporary access is automatically revoked if not accepted
Quick Start
-
Enable SSH on your machine:
Terminal window tailscale set --sshOr use the admin console at https://login.tailscale.com/admin
-
Invite users to your tailnet:
- Go to https://login.tailscale.com/admin/users
- Select “Invite external users”
- Enter email addresses and send invitations
-
Configure SSH access rules:
- Edit ACL policies at https://login.tailscale.com/admin/acls
- Define who can SSH where using source, destination, and user filters
-
Share devices (if needed):
- For more restricted access, share individual devices instead of inviting to the full tailnet
- Shared devices are quarantined by default (can receive but not initiate connections)
Critical Concepts
SSH Access Rules
- ✅ Users CAN SSH into their own devices and tagged devices
- ❌ Users CANNOT SSH into personal devices owned by other users
- ✅ Workaround: Have the device owner tag their device or share it explicitly
Invitation Types
| Approach | Use Case | Access | Security |
|---|---|---|---|
| Full Tailnet Invitation | Multiple devices, teams | Entire network (ACL-controlled) | Role-based permissions |
| Device Sharing | Single device, temporary | Only shared machine | Isolated access |
Sources
- Tailscale SSH Documentation
- Invite Any User to Tailnet
- Device Sharing Guide
- ACL Configuration
- Inviting vs Sharing Comparison
Related Research
- claude-code - Remote development environments and access management
- ubuntu-audio-streaming - Network-based device sharing and access
- problems - Troubleshooting reference for Tailscale-related issues
Open Source Alternatives
See open-source-alternatives.md for a comprehensive comparison of:
- Headscale: Self-hosted Tailscale control server (uses official clients)
- NetBird: Fully open source with modern UI and SSO
- Nebula: High-performance by Slack, proven at scale
- ZeroTier: Mature Layer 2 networking platform
- Netmaker: Enterprise mesh networking with WireGuard
- Innernet: Traditional networking concepts with Rust
Last updated: December 10, 2025